top of page
  • Writer's pictureDigital Marketing Hub

GDPR And Email Marketing: What You Must Do To Avoid Hefty Fines

The GDPR (General Data Protection Regulation), entered into force on 25 May 2018. The new EU directive focuses on the protection of personal private data. What the private person will enjoy is currently a major challenge for the marketer when it comes to the future correct handling of personal data.

Since the topic GDPR is very extensive, the following article refers specifically to the handling of this in the email marketing channel. The following information is not legally binding and should only be understood as advice to be recommended and for information purposes only.

Review - where does the GDPR come from?

The current European privacy policy was actually created in 1980, long before new technologies were around such as smartphones, tablets, artificial intelligence or the like. The use of personal data has therefore long been a revised version that is tailored to the digital data-driven world.

This is precisely the point of the new GDPR, which has been discussed for some time now and actually came into force two months ago. If the new data protection guidelines are not adhered to, all companies in all sectors will be liable to pay fines in blatant amounts in the future.

The entry into force of the law at the end of May is binding for all companies.

Paragraph 7 (1-3) UWG

In Germany, Advertising in emails is governed by the Telemedia Act (TMG), the Federal Data Protection Act (BDSG) and by Section 7 para. 1-3 UWG (Law against Unfair Competition).

Accordingly, advertising may only be sent by email in certain cases, especially if it is unclear how email addresses have been collected and whether the recipients have given their consent.

While section 7 (1-3) UWG regulates the nuisance aspect of advertising emails, the content of the GDPR focuses on the protection of personal data as well as the tracking of information that could potentially be misused or abused by advertisers.

This paragraph remains valid even after the entry into force of the GDPR and, as long as no personal data is used, is to be considered separately from the topic of data protection.

The new privacy policy and its opportunities and risks

For many companies, the switch to a European guideline on data protection means a big bang. Nevertheless, the benefits of privacy should be seen in the use of private data.

In digital marketing, everyone (including marketing managers) is Consumer First and Marketer Second, so everyone should welcome the right to transparent data collection.

Companies should now see the GDPR as a way of sorting the existing data jungle and learning to profit from the valid, high-quality (because interested) leads in the data pool.

Above all, the conscious decision of the users, namely to confirm the registration for a newsletter through a double opt-in, will be even more important in the future.

It has not been enough for quite some time to leave your email address in a simple signup form. A link in a confirmation mail must be verified a second time that a sign up for a newsletter may be made and personal data can be passed on.

Many providers also send in this confirmation email an overview of the personal data stored with the registration.

Particularly in email marketing , valid leads are an important KPI. Anyone who has been annoyed by excessive wastage in the past can be given the opportunity to better reach

their target group in the future through a new selection of shipping contacts. This not only saves time but also money.

Perhaps in the past laboriously constructed automation routes did not convert as desired. Contacts who have not subscribed to a newsletter themselves will certainly not have much interest in the content of the promotional emails. The review of the data pool with regard to the GDPR can therefore bring a great advantage and prevents recipients from perceiving it as spam.

The Double Opt-In: You should pay attention to this

Email marketing companies are recommended to review internal data processing to ensure compliance with the GDPR.

• What data is stored in the company?

• Which data processing is used (CMS / HR Tool)

• Is there an opt-in for all contacts?

• Which data may be used?

• Can the opt-in confirmations be proven?

• Were data purchased / generated by sweepstakes?

• How long will data be stored?

• Is there option for opt-out?

• Must opt-in consent of parents of minors (Under 16) be obtained?

Due to the increased fines for data protection abuse, it is advised to take all legal precautions to avoid pitfalls. Specifically, it must be proven that a newsletter subscription was generated through a double opt-in procedure.

Important during the registration process is the correct display of mandatory fields within the signup form. While the email address may be required, other personal information such as age, gender, place of residence, language, etc. may only be displayed as optional fields.

If, in hindsight, a private individual makes a request regarding their own data processing, the company must be able to provide this information as transparently as possible.

Relevant in this context is, for example, the legibility of writing the Opt-In Note, as well as the comprehensibility of the text, the design of the page or the positioning of information for data protection processing.

The opt-in process, for example, can also be rescheduled by telephone, whereby users, if possible, are contacted and can submit the consent in writing.

GDPR - continue to generate leads with opt-in

In order to continue to be able to send email campaigns in the future, without being punished, it should be ensured that there is a clear consent of the user for each contact.

An email recipient must confirm that he has been informed unequivocally about the use of the data and voluntarily confirmed this.

For this purpose, companies are obliged to provide clear information on the intended use of the data (with this consent, you confirm that you wish to receive the newsletter from XY ) and for what period of time the data is stored ("you can always unsubscribe from the newsletter here. Your data will be deleted immediately").

Make sure that, in the case of a deregistration by the user, the data is actually deleted and not just deactivated in the Newsletter tool. It also needs to be more transparent. According to Art. 17 GDPR every person has the right to be deleted from any newsletter lists that affect them.

If an existing email distribution list exists, it must be checked whether the requirements for the consent and the duration of the data storage have already been lawfully obtained and complied with or if there is no opt-in. These (non-compliant) data should be deleted before for safety reasons.

If this opt-in information already exists, no new consent needs to be requested.

A special case, with the entry into force of the Art.8 of the GDPR, is for underage email recipients under 16 years. These require parental consent. If the consent is missing, these contacts may not be used in the future.

Particularly critical is the use of mail addresses, which were generated by prize draws and competitions. In this case, the coupling ban will take effect in the future. This determines that mail addresses generated by such promotions may not be used commercially for other purposes.

Tip : Leads can still be generated through a raffle. Then, however, the acquisition model must be adjusted and the user again clearly informed of the forwarding of the mail address.

However, sweepstakes are not the only way to generate leads. Promising are leads that have been obtained by downloading white papers, e-books or images, as this may already be implied in an interest in your product or service.

If the whitepaper download is linked to a newsletter subscription, the users must also be informed separately. The CTA "free download" is not considered an opt-in confirmation. Again, the user must clearly agree that he will be registered upon the download for the newsletter.

Ultimately, the user pays for the download with his data, which is why the term "free" would be wrong and could lead to a warning.

The above example does not make it clear who will have access to the data after registering for the newsletter or which information or products the user will be informed about in the newsletter. The reference to the opt-out is missing.

Providers of apps should also be aware that email addresses generated via the app download cannot be easily used for commercial purposes. This may also be illegal, since an

opt-in was not necessarily generated with an app download. Similarly, companies could be penalized for misuse of such data due to misuse.

Duration of personal data storage

Lifelong data storage is prohibited. In any case, the user should be informed about the retention period of his data and know how long personal data will be stored. For businesses, this may mean updating the current privacy policy and introducing data deletion. Anyone who has questions here is well advised to seek help from a data protection officer.

If the updated privacy policy requires changes to the website or app, it's important to keep a record of it. Screenshots of this are already sufficient in many cases, but this should also be individually checked by a data protection officer.

Benefit from the GDPR in email marketing

The GDPR poses great challenges for companies with regard to transparent handling of personal data in email marketing. Ultimately, the shift to dedicated temporary data storage will change the way personal information is handled.

What was initially seen as an annoying but necessary evil will become a valuable must-have in the future. Leads generated by various actions will be valid and correspondingly closer to their target audience than before.

Over the past few years, marketers, especially in the email marketing area, have been faced with the challenge of generating large numbers of email addresses internally or purchasing them externally for a partially excessive TKP.

The scatter losses left much to be desired in many cases. Open rates, click-through rates, and conversion rates were poor, leaving many of the campaigns with the predicted return on investment (ROI).

This can now change with the entry into force of the EU GDPR. As marketers, we know that our own level of interaction with a product or service is highest when it is programmatically tailored to our needs.

Once the opt-in becomes compulsory for all EU member states, end users will also be more concerned with tracking who is storing data for what reason and for what period of


Instead of randomly leaving data on the Internet, users will post their data where it is relevant to them. By then, according to forecasts, all channels in the online marketing mix, such as email marketing, can benefit from improved click through rates and conversions.

To what extent the GDPR will be extended by the e-privacy directive at the end of 2018 / beginning of 2019 remains to be seen. However, it is expected that data collection

across Europe will be further aligned and controlled.

Recent Posts

See All
bottom of page